How Financial Conduct Authority (FCA) Works
The Financial Conduct Authority operates under powers granted by the Financial Services and Markets Act 2000 (FSMA), substantially amended by the Financial Services Act 2012, which separated conduct regulation from prudential oversight and established the FCA as a standalone body. Its three statutory objectives are protecting consumers, preserving market integrity, and promoting effective competition. For payment businesses, the FCA's most direct interaction is the authorisation lifecycle — from initial application through to ongoing supervision and, where things go wrong, enforcement.
Application via FCA Connect
Firms submit an authorisation or registration application through the FCA's Connect portal. The application package must include a regulatory business plan, three-year financial projections, detailed compliance and AML policies, safeguarding arrangements for customer funds, and fit-and-proper assessments for key individuals. The FCA will not start the statutory clock until it deems the application complete.
Threshold Conditions Assessment
The FCA evaluates whether the applicant meets its threshold conditions — the minimum standards a firm must satisfy to be authorised. These cover legal status, location of offices, adequate financial resources, appropriate management, and business conducted in a sound and prudent manner. Failure on any condition results in refusal.
Authorisation Decision
The FCA has a statutory three-month window from receipt of a complete application to issue its decision. It may grant authorisation unconditionally, grant it with attached requirements (such as transaction volume limits or mandatory reporting), or refuse. Firms authorised under PSD2 as payment institutions are entered on the public FCA Register.
Ongoing Supervision
Authorised firms are assigned to a supervision model proportionate to their risk profile. Higher-risk or systemically important firms receive a dedicated portfolio supervisor; smaller firms are supervised through periodic thematic reviews and regulatory return analysis. Firms must notify the FCA of material changes — new services, key person departures, significant outsourcing — and submit regular returns via the RegData platform.
Enforcement Action
Where firms or individuals breach FCA rules, the regulator can impose financial penalties, issue public censures, vary or cancel regulatory permissions, and refer matters for criminal prosecution. The FCA publishes all final enforcement decisions publicly and operates a whistleblowing programme that generates a significant share of its investigative leads each year.
Why Financial Conduct Authority (FCA) Matters
The FCA is the gatekeeper to the UK payments market — no firm can legally process third-party payments, issue e-money, or provide account information services without its authorisation or registration. For merchants and platform operators, understanding FCA requirements is essential to avoiding criminal liability and structuring compliant payment flows. The stakes are substantial: regulatory breaches carry severe personal and corporate consequences that go well beyond financial penalties.
The FCA regulates approximately 45,000 financial services firms, making it one of the world's largest conduct regulators by firm count (FCA Annual Report 2022/23). Within the payment sector, the FCA Register lists over 3,500 authorised or registered payment institutions and e-money institutions as of 2024 — a number that has grown sharply since the Payment Services Regulations 2017 transposed PSD2 into UK law. The regulator issued £52.8 million in financial penalties during 2022/23, with a meaningful portion directed at payment and e-money firms for failures in financial crime controls and consumer protection. UK financial services contributes approximately £170 billion annually to GDP — around 8.3% of total economic output — illustrating why rigorous conduct oversight of this sector carries systemic importance beyond individual firm-level concerns (TheCityUK, 2023).
For e-money institutions in particular, FCA authorisation unlocks the legal ability to issue e-money, safeguard customer funds in designated accounts, and operate prepaid products commercially. Without it, these activities are prohibited regardless of the technical structure of the product.
Financial Conduct Authority (FCA) vs. Prudential Regulation Authority (PRA)
The UK's post-2012 financial regulatory architecture divides oversight responsibility between the FCA and the Prudential Regulation Authority (PRA), a subsidiary of the Bank of England. Understanding which regulator has authority over your firm — and what each one cares about — prevents costly misalignment in compliance programmes. Payment institutions, in almost all cases, deal exclusively with the FCA.
| Aspect | FCA | PRA |
|---|---|---|
| Primary focus | Conduct, consumer protection, market integrity | Safety and soundness of individual firms |
| Firms regulated | ~45,000 across all financial services | ~1,500 (banks, insurers, major investment firms) |
| Payment institutions | Yes — sole regulator for PSPs and EMIs | No |
| Enforcement levers | Consumer redress, financial penalties, permission cancellation | Capital buffers, stress tests, resolution planning |
| Legislative basis | FSMA 2000 / Financial Services Act 2012 | Financial Services Act 2012 / Bank of England Act 1998 |
| Open banking oversight | Yes — supervises open banking implementation | No |
| Consumer Duty | Yes — applies to all FCA-regulated firms | No |
| Dual-regulated firms | Conduct rules | Prudential rules |
Most payment technology firms and fintechs are solely FCA-regulated. Banks that also run payment services face dual regulation — FCA for conduct matters and PRA for capital adequacy, liquidity, and resolution.
Types of FCA Authorisation for Payment Firms
The FCA issues distinct categories of permission depending on the nature and scale of a firm's payment or e-money activities. Selecting the correct authorisation type at the outset avoids expensive variation applications and potential enforcement exposure later. Each category carries different capital requirements, safeguarding obligations, and operational restrictions.
Authorised Payment Institution (API) grants permission for all payment services defined under the Payment Services Regulations 2017. APIs may passport into EEA countries (subject to post-Brexit equivalence), face no transaction volume cap, and can appoint agents. Minimum initial capital ranges from €20,000 to €125,000 depending on which payment service categories are held.
Small Payment Institution (SPI) is a simplified registration for firms whose average monthly transaction volume does not exceed €3 million. There is no minimum capital requirement, but SPIs cannot passport and must not exceed the volume threshold. This route suits early-stage payment businesses operating in the UK domestic market.
Authorised Electronic Money Institution (AEMI) is required for firms issuing e-money — including prepaid cards, digital wallets, and stored-value products. Minimum initial capital is €350,000, and firms must safeguard all outstanding customer funds in dedicated accounts or via an approved insurance policy or guarantee.
Small Electronic Money Institution (SEMI) provides a lighter-touch registration for e-money issuers where average outstanding e-money remains below €5 million. The same safeguarding obligations apply but capital and regulatory reporting requirements are reduced, making this appropriate for niche or early-stage e-money products.
Registered Account Information Service Provider (RAISP) covers firms providing read-only access to customer bank account data. Permitted access must be conducted under strong customer authentication standards and with explicit customer consent. Lower capital requirements apply, but full conduct and data protection obligations remain.
Firms with novel payment models that do not yet meet standard authorisation criteria can apply for a place in the FCA's regulatory sandbox, enabling time-limited live testing with real consumers under a bespoke regulatory framework.
Best Practices
Engaging with FCA requirements at the design stage — rather than at the point of launch — materially improves both authorisation outcomes and the quality of compliance programmes that follow. The practices below reflect what consistently well-run regulated payment firms get right, drawn from common patterns in FCA supervisory guidance and enforcement case outcomes.
For Merchants
- Verify your payment provider's FCA status before onboarding. Search the FCA Register at register.fca.org.uk, confirm the provider is authorised — not just registered — and check that their permissions expressly cover the payment service types you require. Using an unregulated provider exposes your business to legal and reputational risk.
- Understand your own regulatory footprint. Marketplaces, platforms, and loyalty schemes that hold or move customer funds may inadvertently be performing regulated payment activities. Seek legal opinion before assuming an exemption applies — the technology layer does not eliminate regulatory substance.
- Review contracts for Consumer Duty alignment. FCA-regulated payment providers must now deliver good outcomes to your customers. Understand how this obligation flows into the products and support journeys you offer, and build contract terms that reflect shared responsibility.
- Ask your provider for evidence of safeguarding arrangements. FCA-regulated payment firms must segregate customer funds from company assets. A written confirmation of the safeguarding account structure and insurer details is your protection if the provider enters insolvency.
For Developers
- Design payment flows to absorb regulatory change. The FCA's rulebook evolves — Consumer Duty, the incoming Payment Services Regulations 2025, and AI-related guidance all require product changes. Build authentication logic, fee disclosures, and consent flows as configurable components rather than hard-coded UI.
- Embed anti-money laundering controls from the start. The FCA expects authorised payment firms to integrate AML and counter-terrorism financing controls into onboarding, transaction monitoring, and suspicious activity reporting workflows. Retrofitting these after launch is expensive and operationally disruptive.
- Maintain granular audit trails. FCA supervisors rely on a firm's ability to produce complete records on demand. Log all payment events, compliance decisions, customer communications, and exception handling with timestamps; retain records for at least five years per FCA requirements.
- Test SCA exemptions rigorously before production. The FCA's technical standards for strong customer authentication specify precise conditions for each exemption type — low-value, trusted beneficiary, corporate, and transaction risk analysis. Test edge cases and failure modes in a staging environment before activating exemption logic at scale.
Common Mistakes
Misunderstanding the boundaries of FCA regulation is one of the most recurring — and consequential — errors that payment businesses make. These mistakes appear repeatedly across FCA enforcement decisions, authorisation refusals, and supervisory reviews.
1. Assuming a technology exemption applies. Many software firms building payment infrastructure believe they are "merely technology providers" and therefore outside FCA scope. If the platform executes payment transactions, holds customer funds, or aggregates account data for third parties, it is almost certainly performing regulated activity — regardless of how the technical architecture is described or contracted.
2. Using an agent arrangement to bypass direct authorisation. Structuring as an agent of an authorised institution is a legitimate model, but the FCA scrutinises these arrangements rigorously. The principal remains fully liable for the agent's conduct, and the agent must be formally appointed, trained, and monitored. Treating the agent model as a shortcut without implementing proper oversight typically results in enforcement action against the principal.
3. Treating authorisation as a one-time event. FCA authorisation is the start of a regulatory relationship, not a certificate to be filed and forgotten. Firms that fail to notify the FCA of material changes — launching new payment services, replacing directors, entering significant outsourcing arrangements — breach their ongoing obligations and face risk of permission variation or cancellation.
4. Under-resourcing the compliance function. The FCA expects payment firms to maintain compliance resources proportionate to their risk profile and transaction volumes. Founding teams that defer compliance hiring until after growth find themselves facing supervision visits with gaps that cannot be closed quickly. A Compliance Officer with relevant payment experience should be in place before, not after, authorisation.
5. Misapplying safeguarding requirements for customer funds. Firms that hold customer funds must safeguard them in a designated account at an FCA-approved credit institution, or via an approved insurance policy or guarantee. Commingling customer funds with operating revenue, using the safeguarding account for day-to-day payments, or failing to perform daily reconciliations are among the most common grounds for FCA enforcement in the payment sector — and among the most difficult to remediate quickly.
Financial Conduct Authority (FCA) and Tagada
Payment orchestration platforms operate within a chain of FCA-regulated counterparties — acquirers, payment processors, and e-money issuers — and the compliance status of every link in that chain matters. When configuring routing logic, merchants and developers should treat FCA verification as a standard pre-activation step for each provider, not a one-off due-diligence exercise at platform onboarding.
Verify FCA permissions before activating a provider in Tagada
Before routing live transactions through a new payment provider in Tagada's configuration, confirm the provider's FCA Register entry and validate that their authorised permissions expressly cover your transaction types — particularly recurring payments, high-value transfers, or transactions in regulated product categories such as insurance premiums or investment contributions. A single unregulated or improperly permitted provider in the routing stack can expose the entire payment flow to legal risk. Check register.fca.org.uk and retain a dated screenshot of the permission confirmation for your compliance records.